Device for reproducing data

ABSTRACT

A cellular phone ( 100 ) stores encrypted content data and encrypted license key distributed thereto in a memory card ( 110 ). The cellular phone ( 100 ) and the memory card ( 110 ) collectively perform a part of mutual authentication processing upon power-on. The encrypted license key (Kc) read from the memory card ( 110 ) is decrypted by a first decryption processing portion ( 1510 ) with a session key (Ks 4 ), and is further decrypted by a second decryption processing portion ( 1514 ) with a system symmetric key (Kcom) for extraction. A third encryption processing portion ( 1516 ) decrypts the encrypted content data read from memory card ( 110 ) with the license key (Kc) to reproduce content data (Data).

TECHNICAL FIELD

The present invention relates to a data reproducing device used in aninformation distribution system, which can distribute information toterminals such as cellular phones, and can secure a copyright relatingto copied information.

BACKGROUND ART

Owing to progress in information communication networks such as Internetin recent years, users can easily access network information throughpersonal terminals employing cellular phones or the like.

In such information communication, information is transmitted as digitalsignals. Therefore, each user can copy music data and video data, whichare transmitted via the information communication network, withoutdegradation in the audio quality and picture quality.

Accordingly, the right of the copyright owner may be significantlyinfringed when copyrighted content data such as music information andimage data are transmitted over the information communication networkwithout appropriate measures for protecting the copyrights.

Conversely, top priority may be given to the copyright protection bydisabling or inhibiting distribution of content data over the digitaldata communication network, which is growing exponentially. However,this causes disadvantages to the copyright owner who can essentiallycollect a predetermined copyright royalty for copying copyrightedmaterials.

In the case where the copyrighted content data such as music data isdistributed over a digital information network, e.g., configured asdescribed above, each user records the distributed content data on anappropriate recording device, and then reproduces it by a reproducingdevice.

The recording device for such a purpose may be a medium such as a memorycard, which allows electrical writing and erasing of data.

Further, the device for reproducing the content data may be formed of acellular phone itself, which is used for receiving the content data, ormay be a dedicated reproducing device if the recording device is amemory card or the like, and is removably attached to the devicereceiving the distribution data.

In the above case, security measures are required for the record mediumso that the distributed content data cannot be freely transferred fromthe record medium receiving the data of another record medium or thelike without authorization from a copyright owner.

For improving the security of the above system, which is configured totransfer data between devices forming the system and/or through anexternally accessible region within the device, it is necessary to givesufficient consideration to authentication processing, encryptionprocessing and others.

As a higher level of security is employed in the authenticationprocessing and encryption processing, an unnecessarily longer time isrequired even in a regular device before starting the reproduction ofthe content data for listening or viewing it.

DISCLOSURE OF THE INVENTION

An object of the invention is to provide a data reproducing device forreproducing distributed content data held in a recording device, andparticularly a data reproducing device having a function of protectingthe content data from unauthorized access to the content data by aperson other than a user.

Another object of the invention is to provide a data reproducing device,which can improve a security of a data distribution system, and canquickly start processing of reproducing content data.

For achieving the above objects, the invention provides a datareproducing device for decrypting encrypted content data to reproducecontent data, including a data storing portion, a data reproducingportion and a first control portion.

The data storing portion holds the encrypted content data and a licensekey for decrypting the encrypted content data, outputs the license keyin an encrypted form and is removably attached to the data reproducingdevice. The data reproducing portion receives the output of the datastoring portion, and reproduces the encrypted content data. The firstcontrol portion controls transmission between the data storing portionand the data reproducing portion.

The data reproducing portion includes a first decryption processingportion, an authentication data holding portion, a private key holdingportion, a second decryption processing portion, a first session keygenerating portion, a first encryption processing portion and a thirddecryption processing portion. The first decrypting portion receives thelicense key and the encrypted content data read from the data storingportion, and decrypts the encrypted content data with the license key toextract content data. The authentication data holding portion holdsauthentication data prepared by encrypting a public key preapplied tothe data reproducing portion into a form decodable with a publicauthentication key for outputting the encrypted authentication data tothe data storing portion. The private key holding portion holds aprivate key used for decrypting data encrypted with the preappliedpublic key. The second decryption processing portion receives a firstsession key encrypted with the public key and supplied from the datastoring portion, performs decryption with the private key to extract thefirst session key and holds the extracted first session key. The firstsession key generating portion produces a second session key to beupdated upon every access to the data storing portion for obtaining thelicense key. The first encryption processing portion encrypts the secondsession key with the first session key held by the second decryptionprocessing portion for output to the data storing portion. The thirddecryption processing portion receives the license key encrypted withthe second session key and supplied from the data storing portion,performs the decryption with the second session key to extract thelicense key, and supplies the extracted license key to the firstdecryption processing portion.

The data storing portion includes a recording portion, a fourthdecryption processing portion, a second control portion, a secondsession key generating portion, a second encryption processing portion,a fifth decryption processing portion and a third encryption processingportion. The recording portion records the encrypted content data andthe license key. The fourth decryption processing portion receives theauthentication data, and decrypts the authentication data with thepublic authentication key to extract the public key. The second controlportion performs authentication processing based on results of thedecryption processing by the fourth decryption processing portion todetermine whether the license key is to be output to the datareproducing portion or not. The second session key generating portionproduces and holds the second session key to be updated every time thesecond control portion determines that the license key is to be outputto the data reproducing portion. The second encryption processingportion encrypts the second session key with the public key for applyingthe second session key to the data reproducing portion. The fifthdecryption processing portion decrypts, with the first session key, thesecond session key applied from the data reproducing portion andencrypted with the first session key to extract the first session key.The third encryption processing portion encrypts the license key withthe second session key for applying the license key to the datareproducing portion.

The first control portion performs the control to utilize the firstsession key common to processing of supplying the plurality of licensekeys to the content reproducing portion from the data storing portioncorresponding to the plurality of continuous reproduction operations ofthe encrypted content data, to utilize, in each of the license keysupply operations, the second session key different from those for theother license key supply operations, and controls the second decryptionprocessing portion to hold the first session key during a predeterminedperiod common to the plurality of license key supply operations.

Preferably, the predetermined period is a period determined within anactive period of the data reproducing device and after attachment of thedata storing portion to the data producing portion.

Preferably, the predetermined period is a period determined after thereproducing device carrying the data storing portion becomes active.

According to another aspect, the invention provides a data reproducingdevice for storing encrypted content data and a license key fordecrypting the encrypted content data, forming an encryptioncommunication path for output of the license key, receiving theencrypted content data and the license key from a data recording deviceoutputting the license key via the encryption communication path, andreproducing the encrypted content data, including a control portion, afirst decryption processing portion, an authentication data holdingportion, a private key holding portion, a second decryption processingportion, a first session key generating portion, a first encryptionprocessing portion and a third decryption processing portion.

The control portion controls transmission of the data between the datarecording device and the data reproducing device. The first decryptionprocessing portion receive the license key and the encrypted contentdata read from the data recording device, and decrypts the encryptedcontent data with the license key to extract the content data. Theauthentication data holding portion holds authentication data({KPp(1)}KPma) prepared by encrypting private key (KPp(1)) preapplied tothe data reproducing portion into a form decodable with a publicauthentication key (KPma) for outputting the encrypted authenticationdata to the data recording device. The private key holding portion holdsa private key used for decrypting data encrypted with the preappliedpublic key. The second decryption processing portion receives a firstsession key updated upon every input of the authentication data,encrypted with the public key and supplied from the data recordingdevice, performs decryption with the private key to extract the firstsession key and holds the extracted first session key. The first sessionkey generating portion produces a second session key to be updated uponevery access to the data recording device for obtaining the license key.The first encryption processing portion encrypts the second session keywith the first session key held by the second decryption processingportion for output to the data recording device. The third decryptionprocessing portion receives the license key (Kc) encrypted with thesecond session key and supplied from the data recording device, performsthe decryption with the second session key to extract the license key,and supplies the extracted license key to the first decryptionprocessing portion.

The control portion performs the control to utilize the first sessionkey common to processing of supplying the plurality of license keys tothe content reproducing portion from the data storing portioncorresponding to the plurality of continuous reproduction operations ofthe encrypted content data, to utilize, in each of the license keysupply operations, the second session key different from those for theother license key supply operations, and controls the second decryptionprocessing portion to hold the first session key during a predeterminedperiod common to the plurality of license key supply operations.

In a distribution system of the data reproducing device according to theinvention, therefore, a part of the processing of mutuallyauthenticating the data reproducing device and a memory card is commonlyutilized by a plurality of reproduction operations so that eachreproduction operation can be performed rapidly.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 conceptually shows a whole structure of a data distributionsystem according to the invention;

FIG. 2 represents characteristics of data, information and others usedfor communication in the data distribution system shown in FIG. 1;

FIG. 3 is a schematic block diagram showing a structure of a licenseserver 10;

FIG. 4 is a schematic block diagram showing a structure of a cellularphone 100;

FIG. 5 is a schematic block diagram showing a structure of a memory card110;

FIG. 6 is a flowchart representing a reproduction initialization sessionin cellular phone 100 according to the first embodiment;

FIG. 7 is a flowchart representing a reproducing operation forreproducing music in cellular phone 100 according to the firstembodiment;

FIG. 8 is a first flowchart representing a distributing operation in thedata distribution system according to the first embodiment;

FIG. 9 is a second flowchart representing the distributing operation inthe data distribution system according to the first embodiment;

FIG. 10 is a third flowchart representing the distributing operation inthe data distribution system according to the first embodiment;

FIG. 11 is a first flowchart representing a transfer operation fortransfer between two memory cards according to the first embodiment;

FIG. 12 is a second flowchart representing the transfer operation fortransfer between the two memory cards according to the first embodiment;

FIG. 13 is a third flowchart representing the transfer operation fortransfer between the two memory cards according to the first embodiment;

FIG. 14 represents characteristics of data, information and others usedfor communication in the data distribution system of the secondembodiment;

FIG. 15 is a schematic block diagram showing a structure of a memorycard 114 of the second embodiment;

FIG. 16 is a first flowchart representing a distributing operationperformed when purchasing contents in the data distribution systemaccording to the second embodiment;

FIG. 17 is a second flowchart representing the distributing operationperformed when purchasing contents in the data distribution systemaccording to the second embodiment;

FIG. 18 is a third flowchart representing the distributing operationperformed when purchasing contents in the data distribution systemaccording to the second embodiment;

FIG. 19 is a flowchart representing operations of various portions inthe reproduction session of a system using a memory card of the secondembodiment;

FIG. 20 is a first flowchart representing a transfer operation fortransfer between two memory cards according to the second embodiment;

FIG. 21 is a second flowchart representing the transfer operation fortransfer between the two memory cards according to the secondembodiment;

FIG. 22 is a third flowchart representing the transfer operation fortransfer between the two memory cards according to the secondembodiment;

FIG. 23 represents characteristics of data, information and others usedfor communication in the data distribution system of the thirdembodiment;

FIG. 24 shows a structure of a license server 11 according to the thirdembodiment;

FIG. 25 is a schematic block diagram showing a structure of a cellularphone 103;

FIG. 26 is a first flowchart representing a distributing operationperformed when purchasing contents in the data distribution systemaccording to the third embodiment;

FIG. 27 is a second flowchart representing the distributing operationperformed when purchasing contents in the data distribution systemaccording to the third embodiment;

FIG. 28 is a third flowchart representing the distributing operationperformed when purchasing contents in the data distribution systemaccording to the third embodiment;

FIG. 29 is a flowchart representing operations of various portions inthe reproduction session of a system using a memory card of the thirdembodiment;

FIG. 30 is a first flowchart representing a transfer operation fortransfer between two memory cards according to the third embodiment;

FIG. 31 is a second flowchart representing the transfer operation fortransfer between the two memory cards according to the third embodiment;and

FIG. 32 is a third flowchart representing the transfer operation fortransfer between the two memory cards according to the third embodiment.

BEST MODE FOR CARRYING OUT THE INVENTION

Embodiments of the invention will now be described with reference to thedrawings.

[First Embodiment]

FIG. 1 conceptually shows a whole structure of an informationdistribution system according to the invention.

The following description will be given by way of example on a structureof a data distribution system, in which music data is distributed tousers over a cellular phone network. As will be apparent from thefollowing description, the invention is not restricted to such anexample, and may be applied to other cases, in which content data suchas image data, movie data, educational material data, recitation (voice)data or a game program is distributed over another informationcommunication network.

Referring to FIG. 1, a license server 10 administrating copyrightedmusic data encrypts music data (which will be also referred to as“content data” hereinafter) in a predetermined encryption manner, andapplies the data thus encrypted to a cellular phone company, which is adistribution carrier 20 for distributing information. An authenticationserver 12 determines whether a cellular phone and a memory card of auser, who made access for requesting for distribution of the contentdata, are regular devices or not.

Distribution carrier 20 relays over its own cellular phone network thedistribution request received from each user to license server 10. Whenlicense server 10 receives the distribution request, authenticationserver 12 determines whether the cellular phone and memory card of theuser are regular devices or not. After it is confirmed that these areregular devices, license server 10 encrypts the requested contentinformation, and distributes the content data to the user's cellularphone over the cellular phone network of distribution carrier 20.

In FIG. 1, a cellular phone 100 of a user 1 includes, e.g., a memorycard 110, which is releasably attached thereto. Memory card 110 receivesencrypted content data received by cellular phone 100, decrypts the dataencrypted for the transmission, and applies the data to a musicreproducing unit (not shown) in cellular phone 100.

Further, user 1 can listen to music, which is produced by reproducingsuch content data, via headphones 130 or the like connected to cellularphone 100.

In the following description, license server 10, authentication server12 and distribution carrier (cellular phone company) 20 described abovewill be collectively referred to as a “music server 30” hereinafter.

Also, the processing of transmitting the content data from music server30 to each cellular phone or the like will be referred to as“distribution” hereinafter.

Owing to the above structure, a user other than a regular user, whopurchased a regular cellular phone and a regular memory card, cannotreceive and reproduce the data distributed from music server 30 withoutdifficulty.

Further, the system may be configured as follows. By counting the timesof distribution of content data, e.g., for one song in distributioncarrier 20, the royalty, which is charged every time the user receivesthe distributed content data, can be collected by distribution carrier20 together with charges for telephone calls so that the copyright ownercan easily ensure the royalty.

The foregoing distribution of the content data is performed over aclosed system, i.e., the cellular phone network so that it is easy totake measures for the copyright protection, compared with open systemssuch as the Internet.

For example, a user 2 having a memory card 112 can receive content datadirectly from music server 30 by user's own cellular phone 102. However,such data reception may take a relatively long time if user 2 receivesthe content data or the like having a large information amount directlyfrom music server 30. In connection with this, the system may beconfigured such that user 2 can copy the content data of user 1, who hasalready received it. This improves the convenience of users.

From the viewpoint of protecting right of the copyright owner, it is notallowed to provide a system configuration allowing free copying ofcontent data.

In an example shown in FIG. 1, an operation, in which the content dataitself received by user 1 is copied, and reproduction informationrequired for reproducing the content data of user 1 is moved ortransferred to user 2, is referred to as “transfer” of the music data.In this case, the encrypted content data and the information (i.e.,reproduction information) required for the reproduction are transferredbetween memory cards 110 and 112 via cellular phones 100 and 102. Aswill be described later, the above “reproduction information” has alicense key, which allows decryption or decoding of the content dataencrypted in accordance with the predetermined cryptosystem, as well aslicense information such as a license ID and information relating torestrictions on access and reproduction.

In contrast to the “transfer”, an operation of copying content dataitself is referred to as “duplication”. In the duplication, reproductioninformation required is not duplicated so that user 2 content datacannot reproduce the content data. Although not described in detail,user 2 can reproduce the content data by performing additionaldistribution of only the reproduction information including the licensekey.

Owing to the above structures, a user who received the content data fromdistribution server 30 can flexibly utilize the data.

If cellular phones 100 and 102 are PHSs (Personal Handy Phones), atelephone conversation can be performed in a so-called transceiver mode.By using this function, information can be transferred between users 1and 2.

In the structure shown in FIG. 1, the system requires the followingcryptosystems and structure for reproducing the content data, which isdistributed in the encrypted form, on the user side. First, the systemrequires a cryptosystem for distributing an encryption key in thecommunication. Second, the system requires a cryptosystem for encryptingthe data itself to be distributed. Third, the system requires astructure for protecting data by preventing unauthorized copying of thedistributed data.

In the embodiment of the invention, when each of sessions ofdistribution and reproduction occurs, the destination or receiver of thecontent data is verified and checked sufficiently, and the contentreproducing circuit (e.g., a cellular phone) can start the reproductionof the content data within a reduced time. The structures for theseoperations and effects will now be described.

[Structures of Data and Keys in System]

FIG. 2 collectively represents characteristics of keys relating toencryption for communication in the data distribution system shown inFIG. 1 as well as data and others to be distributed.

First, data Data is content data such as music data distributed from thedistribution server. As will be described later, content data Datadistributed from distribution server 30 takes a form of encryptedcontent data {Data}Kc, which is encrypted to allow decryption at leastwith a license key Kc.

In the following description, expression “{Y}X” represents that the dataindicated by this expression was prepared by converting data Y into anencrypted form decodable with a decryption key X.

Together with the content data, distribution server 30 distributesadditional information data Data-inf in plain text, which relates to thecontent data, or relates to access to the server. More specifically,additional information data Data-inf includes information for specifyinga song title, an artist name and others of the content data, and alsoincludes information for specifying distribution server 30 and otherinformation.

The following keys are used for encryption processing anddecryption/reproduction processing of the content data as well as forauthentication of the content reproducing circuit (i.e., cellular phone)and the recording device (i.e., memory card).

As already described, license key Kc is used for decrypting andencrypting the content data. Also, public encryption key KPp(n) is usedfor authentication of the content reproducing circuit (cellular phone100) and public encryption key KPmc(n) is used for authentication of thememory card.

The data encrypted with public encryption keys KPp(n) and KPmc(n) can bedecrypted with private decryption key Kp(n) and private decryption keyKmc(n) unique to the memory card. These unique private decryption keysfor each cellular phone or each memory card have contents different fromthose of the other kinds of cellular phones or the other kinds of memorycards. These kinds of the cellular phones and memory cards depend onrespective units, which are determined based on kinds of manufacturersof them, manufacturing dates or periods (manufacturing lots) and others.The natural number “n” is added for identifying the kind of each memorycard and each content reproducing circuit (cellular phone). The unit,which is common to public encryption keys KPmc(n) and KPp(n), will bereferred to as a “class” hereinafter.

As secret keys common to the content reproducing circuit, the systememploys a secret key Kcom, which is primarily utilized for obtaininglicense key Kc and restriction information for the content reproducingcircuit to be described later, as well as an authentication key KPmaoperated commonly in whole the distribution system. Secret key Kcom is adecryption key in the symmetric key cryptosystem, and therefore is heldas the encryption key in the distribution server.

Secret key Kcom is not restricted to the decryption key in the symmetrickey cryptosystem, and may have a similar structure as private key in thepublic key cryptosystem. In this case, the distribution server may beconfigured to hold public encryption key KPcom, which is asymmetric tothe decryption key, as an encryption key.

Public encryption keys KPmc(n) and KPp(n), which are determineddepending on the memory card and the content reproducing circuit asdescribed above, are recorded in the memory card and the cellular phonebefore shipment, and take the forms of authentication data {KPmc(n)}KPmaand {KPp(n)}KPma, respectively. The authentication data is a key, whichcan be decrypted with authentication key KPma to verify the validity ofthe authentication data from results of this decryption. In other words,the authentication data is a key used for authorizing the publicencryption key. The encryption for producing the authentication data isperformed with a private key K, which is paired with and is asymmetricto the authentication key.

Further, the system uses information for controlling operations of thedevices forming the system, i.e., devices such as cellular phone 100(i.e., content reproducing circuit) and memory card 110, and the aboveinformation includes purchase conditions information AC, which is sentfrom cellular phone 100 to distribution server 30 for designatingpurchase conditions when the user purchases the license key or the like,access restriction information AC1, which is distributed fromdistribution server 30 to memory card 110 in accordance with purchasecondition information AC for representing restrictions or the like onthe allowed times of access to memory card 110, and reproducing circuitrestriction information AC2, which is distributed from distributionserver 30 to cellular phone 100 for representing restrictions on thereproduction conditions of the content reproducing circuit. For example,the reproduction conditions of the content reproducing circuit relate toconditions, which are used when a sample of a new song is distributed ata low price or no charge for sales promotion, and allow reproductionfrom the start of the content data only for a limited time.

As keys for administering the data in memory card 110, the systememploys private encryption key KPm(i) (i: natural number) determined foreach medium, i.e., memory card, and private decryption key Km(i), whichis unique to each memory card and allows decryption of the dataencrypted with private encryption key KPm(i). The natural number “i” isadded for identifying each memory card from the others.

Further, the data distribution system shown in FIG. 1 uses the followingkeys and others in the data communication.

As the encryption keys for keeping secrecy in the data transmission fromand into the memory card, the system uses symmetric keys Ks1-Ks4, whichare produced by distribution server 30, cellular phone 100 or 102, andmemory card 110 or 112 upon every distribution, reproduction andtransfer of the reproduction information.

Symmetric keys Ks1-Ks4 are unique symmetric keys, and are generated inresponse to every “session”, which is a unit of communication or accessbetween or to the distribution server, cellular phone and/or memorycard. These symmetric keys Ks1-Ks4 will be referred to as “session keys”hereinafter.

These session keys Ks1-Ks4 have values unique to each communicationsession, and is administered by the distribution server, cellular phoneand memory card.

More specifically, the license server in the distribution servergenerates session key Ks1 in response to every distribution session. Thememory card generates session key Ks2 in response to every distributionsession and every transfer session (receiving side). The memory cardlikewise generates session key Ks3 in response to every reproductionsession and every transfer session (sending side). The cellular phonegenerates session key Ks4 in response to every reproduction session. Ineach session, these session keys are exchanged, and the session keyproduced by another device is received, and is used for encrypting thelicense key therewith, and then the license key and others thusencrypted are sent so that the security level in the sessions can beimproved.

Further, the data transmitted between the distribution server and thecellular phone includes a content ID, by which the system identifies thecontent data, a license ID which is an administration code forspecifying the time and the receiver of the issued license, and atransaction ID which is a code produced in response to everydistribution session for specifying each distribution session.

[Structure of License Server 10]

FIG. 3 is a schematic block diagram showing a structure of licenseserver 10 shown in FIG. 1.

License server 10 includes an information database 304 which holds datafor distributing the data prepared by encrypting the music data (contentdata) in accordance with a predetermined cryptosystem as well as thelicense ID and others, an accounting database 302 for holding accountingdata according to start of access to the music data for each user, adata processing portion 310, which receives data from informationdatabase 304 and accounting database 302 via a data bus BS1, andperforms predetermined processing, and a communication device 350 forperforming data transmission between distribution carrier 20 and dataprocessing portion 310 over a communication network.

Data processing portion 310 includes a distribution control portion 315for controlling an operation of data processing portion 310 inaccordance with data on data bus BS1, a session key generating portion316 for generating session key Ks1 during the distribution session undercontrol of distribution control portion 315, a decryption processingportion 312 for receiving authentication data {KPmc(n)}KPma and{KPp(n)}KPma, which are encrypted to represent their validity bydecryption, and are sent from the memory card and the cellular phone,respectively, via communication device 350 and a data bus BS1, anddecrypting it with authentication key KPma, an encryption processingportion 318, which encrypts session key Ks1 produced by session keygenerating portion 316 with public encryption key KPmc(n) obtained bydecryption processing portion 312, and outputs the encrypted key ontodata bus BS1, and a decryption processing portion 320 for receiving thedata, which is encrypted with session key Ks1 on each user side and issent therefrom, via data bus BS1 and decrypting the same.

Data processing portion 310 further includes a Kcom holding portion 322for holding secret key Kcom symmetric to the reproducing circuit as anencryption key, an encryption processing portion 324 for encryptinglicense key Kc and reproducing circuit restriction information AC2applied from distribution control portion 315 with encryption key KPcomsymmetric to the reproducing circuit, an encryption processing portion326 for encrypting the data sent from encryption processing portion 324with public encryption key KPm(i), which is obtained by decryptionprocessing portion 320 and is unique to the memory card, and anencryption processing portion 328 for further encrypting the output ofencryption processing portion 326 with session key Ks2 applied fromdecryption processing portion 320, and outputting the same onto data busBS1.

In the structure described above, license server 10 utilizes secret keyKcom in the symmetric key cryptosystem as the encryption key. Accordingto the public key cryptosystem, however, Kcom holding portion 322 holdspublic encryption key KPcom, which is asymmetric to secret key Kcom andcan perform decryption into a form decodable with secret key Kcom, ifsecret key Kcom is private decryption key on the cellular phone side.

[Structure of Cellular Phone 100]

FIG. 4 is a schematic block diagram showing a structure of cellularphone 100 shown in FIG. 1.

In cellular phone 100, natural number n representing the class is equalto one.

Cellular phone 100 has an antenna 1102 for receiving radio signals sentover the cellular phone network, a send/receive portion 1104 forconverting the signals received from antenna 1102 into baseband signals,and for modulating data sent from cellular phone 100 and sending it toantenna 1102, data bus BS2 for data transmission between variousportions in cellular phone 100, and a controller 1106 for controllingoperations of cellular phone 100 via data bus BS2.

Cellular phone 100 further includes a touch key unit 1108 for externallyapplying instructions to cellular phone 100, a display 1110 for givinginformation sent from controller 1106 or the like to the user as visibleinformation, a voice reproducing portion 1112 for operating in anordinary conversation operation to reproduce a voice from the receiveddata sent via database BS2, a connector 1120 for external datatransmission, and an external interface portion 1122, which can convertthe data sent from connector 1120 into signals to be applied onto databus BS2, and can convert the data applied from data bus BS2 into signalsto be applied to connector 1120.

Cellular phone 100 further includes removable memory card 110 forstoring and decrypting content data (music data) sent from distributionserver 30, a memory interface 1200 for controlling transmission of databetween memory card 110 and data bus BS2, and an authentication dataholding portion 1500 for holding data prepared by encrypting publicencryption key KPp(1), which is set uniquely to each class of thecellular phone, into the form decodable with authentication key KPma.

Cellular phone 100 further includes a Kp holding portion 1502 forholding private decryption key Kp(n) (n=1) unique to the cellular phone(content reproducing circuit), a decryption processing portion 1504 fordecrypting the data received from data bus BS2 with private decryptionkey Kp(1) to obtain session key Ks3 generated by the memory card, asession key generating portion 1508 for generating session key Ks4,e.g., based on a random number for encrypting the data to be transmittedvia data bus BS2 between cellular phone 100 and memory card 110 in thereproduction session for reproducing the content data stored in memorycard 110, an encryption processing portion 1506 for encrypting sessionkey Ks4 thus produced with session key Ks3 obtained by decryptionprocessing portion 1504, and outputting the encrypted key onto data busBS2, and a decryption processing portion 1510 for decrypting the data ondata bus BS2 with session key Ks4 to output data {Kc//AC2}Kcom.

Cellular phone 100 further includes a Kcom holding portion 1512 forholding secret key Kcom unique to the content reproducing circuit, adecryption processing portion 1514 for decrypting data {Kc//AC2}Kcomoutput from decryption processing portion 1510 with secret key Kcom, andoutputting license key Kc and reproduction circuit restrictioninformation AC2, a decryption processing portion 1516 for receivingencrypted content data {Data}Kc from data bus BS2, and decrypting itwith license key Kc obtained from decryption processing portion 1514 tooutput the content data, a music reproducing portion 1518 for receivingthe output of decryption processing portion 1516 and reproducing thecontent data, a selector portion 1525 for receiving the outputs of musicreproducing portion 1518 and voice reproducing portion 1112, andselectively outputting them depending on the operation mode, and aconnection terminal 1530 for receiving the output of selector portion1525 and allowing connection of head phones 130.

Reproduction circuit restriction information AC2 output from decryptionprocessing portion 1514 is applied to controller 1106 via data bus BS2.

FIG. 4 shows only some of blocks forming the cellular phone for the sakeof simplicity, and particularly shows only blocks relating to thedistribution and reproduction of music data according to the invention.Some of blocks related to an original conversation function of thecellular phone are not shown.

[Structure of Memory Card 110]

FIG. 5 is a schematic block diagram showing a structure of memory card110 shown in FIG. 4.

As already described, public encryption key KPm(i) and correspondingprivate decryption key Km(i) have values unique to each memory card. Inthe following description, it is assumed that natural number i is equalto one in memory card 110. Further, keys KPmc(n) and Kmc(n) are employedas public encryption key and private decryption key unique to the kind(class) of the memory card, respectively. It is also assumed thatnatural number n is equal to one in memory card 110.

Memory card 110 includes an authentication data holding portion 1400 forholding {KPmc(1)}KPma as the authentication data, a Kmc holding portion1402 for holding decryption key Kmc(1) unique to each kind of the memorycard, a Km(1) holding portion 1421 for holding private decryption keyKm(1) set unique to each memory card, and a KPm(1) holding portion 1416for holding private encryption key KPm(1) allowing decryption of thedata encrypted with private decryption key Km(1). Authentication dataholding portion 1400 holds public encryption key KPmc(1), which is setuniquely to the kind (class) of memory card, in an encrypted form, whichcan be decrypted with authentication key KPma.

Memory card 110 further includes a data bus BS3 for transmitting signalsto and from memory interface 1200 via a terminal 1202, a decryptionprocessing portion 1404 for receiving the data, which is applied ontodata bus BS3 from memory interface 1200, and private decryption keyKmc(1) unique to the kind of memory card sent from Kmc(1) holdingportion 1402, and outputting session key Ks1, which is produced bydistribution server 30 in the distribution session, or session key Ks3,which is produced by another memory card in the transfer session, tocontact Pa, a decryption processing portion 1408 for receivingauthentication key KPma from a KPma holding portion 1414, and performingdecryption on the data applied from data bus BS3 with authentication keyKPma to apply results of the decryption to a controller 1420 anddecryption processing portion 1410 via data bus BS4, and an encryptionprocessing portion 1406 for encrypting data, which is selectivelyapplied by a select switch 1444, with the key selectively applied by aselect switch 1442, and outputting the encrypted data onto data bus BS3.

Memory card 110 further includes a session key generating portion 1418for generating session key Ks2 or Ks3 in each of distribution,reproduction and transfer sessions, an encryption processing portion1410 for encrypting session key Ks3 generated from session keygenerating portion 1418 with public encryption key KPp(n) or KPmc(n)obtained by decryption processing portion 1408, and outputting the keythus encrypted onto data bus BS3, and a decryption processing portion1412 for receiving the data encrypted with session key Ks2 or Ks3 fromdata bus BS3, and decrypting it with session key Ks2 or Ks3 obtainedfrom session key generating portion 1418 to send results of thedecryption onto data bus BS4.

Memory card 110 further includes an encryption processing portion 1424for encrypting the data on data bus BS4 with public encryption keyKPm(i) (i≠1) for another memory card in the transfer session (senderside), a decryption processing portion 1422 for decrypting the data ondata bus BS4 with private decryption key Km(1), which is unique tomemory card 110 and is paired with public encryption key KPm(1), and amemory 1415 for receiving and storing the reproduction information(license key Kc, content ID, license ID, access restriction informationAC1 and reproducing circuit restriction information AC2), which isencrypted with public encryption key KPm(1) and is sent from data busBS4, and for receiving and storing encrypted content data {Data}Kc andadditional information Data-inf sent from data bus BS3.

Memory card 110 further includes a license information holding portion1440 for holding the license ID, content ID and access restrictioninformation AC1 obtained by decryption processing portion 1422, and acontroller 1420 for externally transmitting data via data bus BS3,receiving the reproduction information and others from data bus BS4 andcontrolling the operation of memory card 110.

A region TRM surrounded by solid line in FIG. 5 is arranged within amodule TRM, which is configured to erase internal data or destroyinternal circuits for disabling reading of data and others in thecircuits within this region by a third party when an illegal or improperaccess to the inside of memory card 110 is externally attempted. Thismodule is generally referred to as a “tamper resistant module”.

Naturally, memory 1415 may be located within module TRM. According tothe structure shown in FIG. 5, however, the data held in memory 1415 isentirely encrypted so that a third party cannot reproduce the music fromthe content data using only the data in memory 1415, and further, it isnot necessary to located memory 1415 within the expensive tamperresistance module. Therefore, the structure in FIG. 5 can reduce amanufacturing cost.

[Reproducing Operation]

(Reproduction Initialization Session)

Description will now be given on the reproducing operation (which willbe referred to as the “reproduction session” hereinafter), in whichmusic is reproduced from the encrypted content data held in memory card110, and is externally output.

FIG. 6 is a flowchart representing various operations in initializationprocessing, which may also be referred to as “reproductioninitialization session”, for performing a part of mutual authenticationprocessing between cellular phone 100 and memory card 110.

In such a case that (i) the power of cellular phone 100, to which memorycard 110 is already attached, is turned on, (ii) when memory card 110 isinserted into cellular phone 100, of which power is already on, or (iii)a new session key is produced in the distribution session, transfersession or the like, processing in the reproduction initializationsession is collectively performed as will be described later, and a partof the mutual authentication processing between cellular phone 100 andmemory card 110 is commonly utilized by the plurality of operations ofthe reproduction processing. Thereby, each reproducing operation can beperformed rapidly.

Referring to FIG. 6, when the reproduction initialization session startsin accordance with the foregoing timing under the control of controller1106 of cellular phone 100 (step S200), cellular phone 100 operates tooutput authentication data {KPp(1)}KPma, which can be decrypted withauthentication key KPma, from authentication data holding portion 1500onto data bus BS2 (step S202).

Authentication data {KPp(1)}KPma is transmitted to memory card 110 viadata bus BS2 and memory interface 1200.

In memory card 110, decryption processing portion 1408 takes inauthentication data {KPp(1)}KPma, which is transmitted onto data bus BS3via terminal 1202. Decryption processing portion 1408 receivesauthentication key KPma from a KPma holding portion 1414, and decryptsthe data sent from data bus BS3. If public encryption key KPp(1)encrypted with authentication key KPma is regularly registered and isregularly encrypted, and thus if decryption can be performed withauthentication key KPma, and the belonging data generated by thedecryption can be authenticated, the decrypted public encryption keyKPp(1) is accepted. If not, or if the belonging data generated by thedecryption cannot be authenticated, the obtained data is not accepted(step S243).

When decryption processing portion 1408 accepts the public encryptionkey KPp(1), which is unique to the content reproducing circuit incellular phone 100, controller 1420 determines that the publicencryption key KPp(1) sent thereto is the public encryption key assignedto the content reproducing circuit authenticated in this datadistribution system, and the processing moves to a next step S210 (stepS206). If not accepted, it is determined that invalid access is made byan unauthorized device, and the processing ends (step S240).

When public encryption key KPp(1) is accepted, controller 1420 instructssession key generating portion 1418 via data bus BS4 to produce sessionkey Ks3 in the reproduction session. Session key Ks3 produced by sessionkey generating portion 1418 is sent to encryption processing portion1410. Encryption processing portion 1410 encrypts session key Ks3 withpublic encryption key KPp(1) of cellular phone 100 obtained bydecryption processing portion 1408, and outputs encrypted data{Ks3}Kp(1) onto data bus BS3 (step S210).

Cellular phone 100 receives encrypted data {Ks3}Kp(1) applied onto databus BS via terminal 102 and interface 1200. Encrypted data {Ks3}Kp(1) isdecrypted by decryption processing portion 1504, and session key Ks3produced by memory card 110 is accepted (step S212). Thereby,reproduction initialization session ends (step S213).

As described above, memory card 110 receives the authentication datakept in the content reproducing circuit (cellular phone 100), which is adestination of the data output for the reproduction, and verifies thatcellular phone 100 is a regular reproducing device. Thereafter, memorycard 100 sends session key Ks3 unique to the session for establishingconnection to the verified destination. Cellular phone 100 receivingsession key Ks3 and memory card 110 sending the same hold and sharesession key Ks3 for subsequent reproduction.

(Reproduction Processing)

FIG. 7 is a flowchart representing the reproduction processing followingthe reproduction initialization session in FIG. 6.

When user 1 applies an instruction to produce the reproduction requestvia touch key unit 1108 or the like of cellular phone 100 (step S201),controller 110 of cellular phone 100 responds to this reproductionrequest, and instructs session key generating portion 1508 via data busBS2 to generate session key Ks4 produced by cellular phone 100 in thereproduction session. Session key Ks4 thus produced is sent toencryption processing portion 1506, and is encrypted with session keyKs3 obtained by decryption processing portion 1504 to produce encryptedkey {Ks4}Ks3, which is output onto data bus BS2 (step S214).

Encrypted session key {Ks4}Ks3 is transmitted to memory card 110 viamemory interface 1200. In memory card 110, decryption processing portion1412 decrypts encrypted session key {Ks4}Ks3 transmitted onto data busBS3, and session key Ks4 produced in cellular phone 100 is accepted(step S216).

In response to acceptance of session key Ks4, controller 1420 determinesaccess restriction information AC1 in license information holdingportion 1440 bearing the corresponding content ID (step S218).

In step S218, access restriction information AC1 relating torestrictions on the memory access is determined. If the reproduction isalready impossible, the reproduction session ends (step S240). If thereproduction is possible but the allowed times of reproduction arerestricted, the operation moves to a next step after updating the dataof access restriction information AC1 to update the allowed times ofreproduction (step S220). If access restriction information AC1 does notrestrict the reproduction times, step S220 is skipped, and theprocessing moves to next step S222 without updating access restrictioninformation AC1.

When the content ID corresponding to the requested song is not presentin license information holding portion 1440, it is likewise determinedthat the reproduction is impossible, and the reproduction session ends(step S240).

When it is determined in step S218 that the reproduction is allowed inthe current reproduction session, decryption processing is performed forobtaining license key Kc of the reproduction-requested song recorded inthe memory as well as reproducing circuit restriction information AC2.More specifically, decryption processing portion 1454 operates inresponse to the instruction of controller 1420 to decrypt encrypted data{{Kc//AC2}Kcom//license ID//content ID//AC1}Km(1), which is read frommemory 1415 onto data bus BS4, with private decryption key Km(1) uniqueto memory card 110. Thereby, encrypted data {Kc//AC2}Kcom decodable withsecret key Kcom is obtained (step S222).

Encrypted data {Kc//AC2}Kcom thus obtained is sent to encryptionprocessing portion 1406 via a contact Pd of select switch 1444.Encryption processing portion 1406 further encrypts encrypted data{Kc//AC2}Kcom received from data bus BS4 with session key Ks4, which isreceived from decryption processing portion 1412 via contact Pb ofselect switch 1442, and outputs {{Kc//AC2}Kcom}Ks4 onto data bus BS3(step S224).

The encrypted data output onto data bus BS3 is sent to cellular phone100 via memory interface 1200.

In cellular phone 100, decryption processing portion 1510 decryptsencrypted data {{Kc//AC2}Kcom}Ks4 transmitted onto data bus BS2 viamemory interface 1200, and accepts data {Kc//AC2}Kcom, i.e., encryptedlicense key Kc and reproduction circuit restriction information AC2(step S226). Decryption processing portion 1514 decrypts encrypted data{Kc//AC2}Kcom with secret key Kcom, which is received from Kcom holdingportion 1512 and is symmetric to the content reproducing circuit, andaccepts license key Kc and reproducing circuit restriction informationAC2 (step S228). Decryption processing portion 1514 transmits licensekey Kc to decryption processing portion 1516, and outputs reproducingcircuit restriction information AC2 onto data bus BS2.

Controller 1106 accepts reproducing circuit restriction information AC2via data bus BS2, and determines the reproducibility (step S230).

When it is determined from reproducing circuit restriction informationAC2 in step S230 that the reproduction is impossible, the reproductionsession ends (step S240).

If the reproduction is possible, encrypted content data {Data}Kc of therequested song recorded in the memory of memory card 110 is output ontodata bus BS3, and is transmitted to cellular phone 100 via memoryinterface 1200 (step S232).

In cellular phone 100, decryption processing portion 1516 decryptsencrypted content data {Data}Kc, which is output from memory card 110and is transmitted onto data bus BS2, with license key Kc so thatcontent data Data in plain text can be obtained (step S234). Fromdecrypted content data Data in plain text, music reproducing portion1518 reproduces music, and the reproduced music is externally output viaswitching portion 1525 and terminal 1530 so that the processing ends(step S240).

As described above, the reproduction initialization session is separatedfrom the reproduction session, and is commonly utilized by the pluralityof songs or tunes so that the music can be quickly started in responseto the reproduction request of the user.

Further, session key Ks4 is generated for every reproduction, and isused for encryption for sending license key Kc from memory card 110 tothe content reproducing circuit (cellular phone 100). Therefore, thesame song can be repeated without passing the same data through memoryinterface 1200. Thereby, the level of security does not lower, ascompared with the case where the reproduction initialization session isnot separated, and is performed at the start of the every reproductionprocessing.

In the reproduction session, a series of operations starting from thepredetermined initialization session are performed such that theencryption keys produced by the cellular phone and the memory card aremutually transmitted, and each of them executes the encryption with thereceived encryption key, and sends the encrypted data to the otherparty. As a result, mutual authentication can be performed in theoperations of sending and receiving the encrypted data in thedistribution session, and the security can be ensured in the datadistribution system.

[Distributing Operation]

Operations in the respective sessions of the data distribution systemaccording to the embodiment of the invention will now be described ingreater detail with reference to flowcharts.

FIGS. 8, 9 and 10 are first, second and third flowcharts representing adistributing operation, which will also be referred to as a“distribution session” hereinafter, and is performed when purchasing thecontents in the data distribution system according to the firstembodiment, respectively.

FIGS. 8 to 10 represent an operation performed when user 1 using memorycard 110 receives the content data distributed from distribution server30 via cellular phone 100.

First, user 1 requests distribution cellular phone 100 of user 1, e.g.,by operating keys or buttons on touch key unit 1108 (step S100).

In memory card 110, authentication data holding portion 1400 outputsauthentication data {KPmc(i)}KPma in response to this request (stepS102).

Cellular phone 100 sends authentication data {KPmc(1)}KPma accepted frommemory card 110 as well as authentication data {KPp(1)}KPma of cellularphone 100 itself, the content ID for designating the content data to bedistributed and data AC of the license purchase conditions todistribution server 30 (step S104).

Distribution server 30 receives the content ID, authentication data{KPmc(1)}KPma and {KPp(1)}KPma, and license purchase condition data AC(step S106), and performs the decryption with authentication key KPma bydecryption processing portion 312. If public encryption keys KPp(1) andKPmc(1) encrypted with authentication key KPma are registered regularly,and are encrypted regularly, public encryption key KPmc(1) of memorycard 110 and public encryption key KPp(1) of cellular phone 100 areaccepted. If these are not registered regularly, such unregisteredpublic encryption keys KPp(1) and KPmc(1) are not accepted (step S108).

Distribution control portion 315 makes an inquiry to authenticationserver 12 based on accepted private encryption keys KPmc(1) and KPp(1)(step S110). If these public encryption keys were accepted in step 5108,and were regularly registered, these keys are determined as valid keys,and the processing moves to a next step (step S112). If the publicencryption keys were not accepted, or if the public encryption keys wereaccepted but were not registered, these keys are determined as invalidkeys, and the processing ends (step S170).

For authenticating public encryption key KPp(1) or KPmc(1) in thedecryption processing performed with authentication key KPma, such astructure may be employed that a certificate, which is encrypted into aform decodable with authentication key Kpma, is sent to distributionserver 30 together with each public encryption key KPp(1) or KPmc(1).

Since authentication data {KPmc(1)}KPma and {KPp(1)}KPma are encryptedinto forms, which allow authentication by decrypting them withauthentication key KPma, such a structure may be employed thatdistribution control portion 315 in license server 10 performs theauthentication in its own manner in accordance with results obtained bydecryption with authentication key KPma, without sending an inquiry toauthentication server 12.

When it is determined from the inquiry that the keys are valid,distribution control portion 315 produces the transaction ID forspecifying the distribution session (step S112).

Then, session key generating portion 316 produces session key Ks1 fordistribution. Session key Ks1 is encrypted by encryption processingportion 318 with public encryption key KPmc(1) corresponding to memorycard 110 and obtained by decryption processing portion 312 (step S114).

The transaction ID and encrypted session key {Ks1}Kmc(1) are externallyoutput via data bus BS1 and communication device 350 (step S116).

When cellular phone 100 receives the transaction ID and encryptedsession key {Ks1}Kmc(1) (step S118), memory card 110 operates to decryptthe received data applied onto data bus BS3 by decryption processingportion 1404 with private decryption key Kmc(1), which is held inholding portion 1402 and is unique to memory card 110, and thereby toextract decrypted session key Ks1 (step S120).

When controller 1420 confirms the acceptance of session key Ks1 producedby distribution server 30, it instructs session key generating portion1418 to produce session key Ks2, which is to be produced during thedistribution session in memory card 110. In the distribution session,session key generating portion 1418 of memory card 110 generates a newsession key so that session key Ks3 held in the reproductioninitialization session is rewritten into session key Ks2.

Encryption processing portion 1406 encrypts session key Ks2 and publicencryption key KPm(1), which are applied via a contact Pc of selectswitch 144 by switching a contact of a select switch 1446, with sessionkey Ks1 applied via contact Pa of select switch 1442 from decryptionprocessing portion 1404, and outputs data {Ks2//KPm(1)}Ks1 onto data busBS3 (step S122).

Data {Ks2//KPm(1)}Ks1 output onto data bus BS3 is sent from data bus BS3to cellular phone 100 via terminal 1202 and memory interface 1200, andis sent from cellular phone 100 to distribution server 30 (step S124).

Distribution server 30 receives encrypted data {Ks2//KPm(1)}Ks1, anddecrypts it with session key Ks1 by decryption processing portion 320 toaccept session key Ks2 produced in memory card and public encryption keyKPm(1) unique to memory card 110 (step S126).

Further, distribution control portion 315 produces the license ID,access restriction information AC1 and reproducing circuit restrictioninformation AC2 in accordance with the content ID and license purchasecondition data AC obtained in step S106 (step S130). Further, licensekey Kc for decrypting the encrypted content data is obtained frominformation database 304 (step S132).

Referring to FIG. 9, distribution control portion 315 applies licensekey Kc and reproducing circuit restriction information AC2 thus obtainedto encryption processing portion 324. Encryption processing portion 324uses secret key Kcom, which is obtained from Kcom holding portion 322and is symmetric to the content reproduction circuit, as an encryptionkey, and encrypts license key Kc and reproducing circuit restrictioninformation AC2 (step S134).

Encrypted data {Kc//AC2}Kcom output from encryption processing portion324 as well as the license ID, content ID and access restrictioninformation AC1 output from distribution control portion 315 areencrypted by encryption processing portion 326 with public encryptionkey KPm(1), which is obtained by decryption processing portion 320 andis unique to memory card 110 (step S136).

Encryption processing portion 328 receives the output of encryptionprocessing portion 326, and encrypts it with session key Ks2 produced inmemory card 110. Encrypted data {{{Kc//AC2}Kcom//license ID//contentID//AC1}Km(1)}Ks2 output from encryption processing portion 328 is sentto cellular phone 100 via data bus BS1 and communication device 350(step S138).

As described above, distribution server 30 and memory card 110 exchangethe session keys produced thereby, and each execute the encryption withthe received encryption key for sending the encrypted data to the otherparty. Thereby, mutual authentication can also be actually orpractically performed when sending and receiving the encrypted data, andthereby the security level in the data distribution system can beimproved.

Cellular phone 100 receives encrypted data {{{Kc//AC2}Kcom//licenseID//content ID//AC1}Km(1)}Ks2 sent thereto (step S140), and memory card110 operates to decrypt the received data applied via memory interface1200 onto data bus BS3 by decryption processing portion 1412. Thus,decryption processing portion 1412 decrypts the data received from databus BS3 with session key Ks2 applied from session key generating portion1418, and outputs the decrypted key onto data bus BS4.

In this stage, data bus BS4 is supplied with data{{Kc//AC2}Kcom//license ID//content ID//AC1}Km(1), which can bedecrypted with private decryption key Km(1) held in Km(1) holdingportion 1421. This data {{Kc//AC2}Kcom//license ID//contentID//AC1}Km(1) is recorded in memory 1415 (step S144).

Further, decryption processing portion 1422 performs the decryption withprivate decryption key Km(1) unique to memory card 112 so that licenseID, contethat license ID, content ID and access control information AC1are recorded in license information holding portion 1440 via data busBS4 (step S148).

Further, license ID, content ID and access restriction information AC1are recorded in license information holding portion 1440 (step S150).

When the processing in and before step S150 is normally completed,cellular phone 100 sends a distribution request for the content data todistribution server 30 (step S152).

When distribution server 30 receives the distribution request for thecontent data, it obtains encrypted content data {Data}Kc and additionaldata Data-inf from information database 304, and outputs the data thusobtained via data bus BS1 and communication device 350 (step S154).

Cellular phone 100 receives {Data}Kc//Data-inf, and accepts encryptedcontent data {Data}Kc and additional information Data-inf (step S156).Encrypted content data {Data}Kc and additional information Data-inf aretransmitted onto data bus BS3 of memory card 110 via memory interface1200 and terminal 1202. In memory card 110, encrypted content data{Data}Kc and additional information Data-inf thus received are recordedin memory 1415 as they are (step S158).

Memory card 110 sends a notification of distribution acceptance todistribution server 30 (step S160). When distribution server 30 receivesthe distribution acceptance (step S162), storage of accounting data inaccounting database 302 and other processing for ending the distributionare executed (step S164) so that the whole processing ends (step S170).

Cellular phone 100 starts the reproduction initialization session in thereproduction processing. Processing after this start is the same as thatin the reproduction initialization session shown in FIG. 6. Steps S172,S176, S174, S178 and S180 correspond to steps S202, S204, S206, S208 andS210, respectively.

As described above, cellular phone 100 in the distribution sessionoperates in such a manner that the reproduction initialization sessionis executed for the reproduction immediately after the completion ofrecording of the distributed content data, and thereby the reproductioninitialization session is ended before input of reproduction via touchkey unit 1108. Thereby, the reproduction of the content data and musiccan be started quickly in response to the reproduction request of theuser, while keeping an intended security level.

Further, the content data can be distributed in response to thedistribution request only after confirming the validities of publicencryption keys Kp(1) and Kmc(1), which are sent from the contentreproducing portion of cellular phone 100 and memory card 110,respectively. Therefore, distribution to unauthorized devices can beinhibited. Further, encryption for sending and receiving the data usesthe key depending on the receiving side. Therefore, an intended securitylevel in the distribution is ensured.

[Transferring Operation]

Description will now be given on the processing for transferring thecontent data between the two memory cards.

FIGS. 11, 12 and 13 are first, second and third flowcharts representingthe transference of the content data, keys and others between two memorycards 110 and 112 via cellular phones 100 and 102.

In FIGS. 10-12, the natural numbers n, which represent the kinds ofcellular phone 100 and memory card 102, respectively, are both equal toone. Also, the natural numbers n, which represent the kinds of cellularphone 102 and memory card 112, respectively, are both equal to two.Natural numbers i used for identifying memory cards 110 and 112 areequal to one and two (i=1 and i=2), respectively.

In FIGS. 10-12, cellular phone 100 and memory card 110 are on thesending side, and cellular phone 102 and memory card 112 are on thereceiving side. Memory card 112 has substantially the same structure asmemory card 110, and is attached to cellular phone 102. In the followingdescription, respective components and portions of memory card 112 bearthe same reference numbers as those of memory card 110.

Referring to FIG. 10, user 1 on the sending side applies a contenttransfer request via cellular phone 100 of user 1, e.g., by operatingkeys or buttons on touch key unit 1108 (step S300).

The transfer request thus produced is transmitted to memory card 112 ofuser 2 on the receiving side via cellular phone 120. In memory card 112,authentication data holding portion 1500 outputs authentication data{KPmc(2)}KPma including public encryption key KPmc(2) corresponding tomemory card 112 (step S302).

Authentication data {KPmc(2)}KPma of memory card 112 is sent fromcellular phone 102 of user 2 to cellular phone 100 of user 1, and isreceived by memory card 110 (step S304).

In memory card 110, decryption processing portion 1408 performs thedecryption. If public encryption key KPmc(2) encrypted withauthentication key KPma is regularly registered and is regularlyencrypted, i.e., when the data can be decrypted with authentication keyKPma, and the belonging data produced by the decryption can beauthenticated, decrypted public encryption key KPmc(2) is accepted asthe public encryption key of memory card 112. If the decryption isimpossible, or when the belonging data produced by the signal processingcannot be authenticated, the obtained data is not accepted (step S306).

When decryption processing portion 1408 accepts public encryption keyKPmc(2) unique to the contents of memory card 112, controller 1420determines that public encryption key KPmc(2) sent thereto is the publicencryption key assigned to the memory card authenticated in this datadistribution system, and the processing moves to a next step S312 (stepS308). If not accepted, controller 1420 determines that invalid accessis made by an unauthorized device, and ends the processing (step S360).

When the authentication result is valid, controller 1420 instructssession key generating portion 1418 to output session key Ks3 generatedon the sending side in the transfer session. On the receiving side inthe transfer session, session key generating portion 1418 of memory card110 generated the new session key so that session key Ks3 held in thereproduction initialization session is rewritten into session key Ks2.Session key Ks3 produced by session key generating portion 1418 istransmitted to encryption processing portion 1410. Encryption processingportion 1410 further receives public encryption key KPmc(2) of memorycard 112, which is decrypted by decryption processing portion 1408 instep S306, and encrypts session key Ks3 with public encryption keyKPmc(2). Thereby, encrypted session key {Ks3}Kmc(2) is output onto databus BS3 (step S314).

Encrypted session key {Ks3}Kmc(2) is transmitted to memory card 112 viamemory interface 1200, cellular phone 100 and cellular phone 102.

Memory card 112 receives encrypted key {Ks3}Kmc(2) sent from memory card110, and decrypts it by decryption processing portion 1404 with privatedecryption key Kmc(2) corresponding to memory card 112 to accept sessionkey Ks3 produced by memory card 110 on the sending side (step S316).

In response to acceptance of session key Ks3, controller 1420 of memorycard 112 instructs session key generating portion 1418 to producesession key Ks2, which is to be generated on the receiving side in thetransfer session. On the receiving side in the transfer session, sessionkey generating portion 1418 of memory card 110 generated the new sessionkey so that session key Ks3 held in the reproduction initializationsession is rewritten into session key Ks2. Session key Ks2 producedthereby is transmitted to encryption processing portion 1406 via acontact Pf in select switch 1446 and a contact Pc in select switch 1444.

Encryption processing portion 1406 receives session key Ks3 obtained bydecryption processing portion 1404 in step S316, and encrypts sessionkey Ks2 and public encryption key KPm(2), which are obtained via contactPc in select switch 1444 by appropriately selecting contacts Pf and Pein select switch 1446, with session key Ks1, and outputs{Ks2//KPm(2)}Ks3 onto data bus BS3 (step S318).

Encrypted data {Ks2//KPm(2)}Ks3 output onto data bus BS3 is transmittedonto data bus BS3 of memory card 110 via cellular phones 102 and 100.

In memory card 110, decryption processing portion 1412 decrypts theencrypted data transmitted onto data bus BS3 with session key Ks3, andaccepts session key Ks2 and public encryption key KPm(2) related tomemory card 112 (step S320).

In accordance with the acceptance of session key Ks2 and publicencryption key KPm(2), controller 1420 in memory card 110 determines theaccess restriction information AC1 in license information holdingportion 1440 (step S322). When it is determined from access controlinformation AC1 that transfer of license is impossible, the transfer isstopped at this stage (step S360).

When it is determined from access restriction information AC1 that thetransfer session is allowed, the processing moves to next step S322, andcontroller 1420 obtains the corresponding content ID and license ID fromlicense information holding portion 1440, updates the access restrictioninformation in license information holding portion 1440, and records theinhibition of subsequent reproduction and transfer (step S324). Inresponse to this, access restriction information AC1 is determined ineach of the reproduction session and the transfer session, andprocessing is performed to inhibit the subsequent reproduction sessionand the subsequent transfer session.

Controller 1420 instructs memory 1415 to output encrypted data{{Kc//AC2}Kcom//license ID//content ID//AC1}Km(1) relating to sessionkey Kc and reproduction information corresponding to the content to betransferred. Encrypted data {{Kc//AC2}Kcom//license ID//contentID//AC1}Km(1) output from memory 1415 is decrypted so that {Kc//Ac2}Kcomis obtained on data bus BS4 (step S326).

The license ID, content ID and access restriction information AC1, whichare obtained from license information holding portion 1440 in step S324,and {Kc//Ac2}Kcom obtained in step S326 are taken into encryptionprocessing portion 1424 via data bus BS4, and is encrypted. Encryptionprocessing portion 1424 encrypts these received data with publicencryption key KPm(2), which is obtained by decryption processingportion 1412 in step S320, and is unique to memory card 112, to produce{{Kc//AC2}Kcom//license ID//content ID//AC1}Km(2) (step S328).

Encrypted data {{Kc//AC2}Kcom//license ID//content ID//AC1}Km(2), whichis output onto data bus BS4, is transmitted to encryption processingportion 1406 via contact Pd of select switch 1444. Encryption processingportion 1406 receives session key Ks2, which was prepared by memory card112 and is obtained by decryption processing portion 1412, via contactPb of select switch 1442, and encrypts the data received from contact Pdwith session key Ks2.

Encryption processing portion 1406 outputs data {{{Kc//AC2}Kcom//licenseID//content ID//AC1}Km(2)}Ks2 onto data bus BS3 (step S330). In stepS330, the encrypted data output onto data bus BS3 is transmitted tomemory card 112, which is on the receiving side in the transfer session,via cellular phones 100 and 102.

In memory card 112, decryption processing portion 1412 performs thedecryption with session key Ks2 produced by session key generatingportion 1418, and accepts {{{Kc//AC2}Kcom//license ID//contentID//AC1}Km(2) (step S332).

Data {{Kc//AC2}Kcom//license ID//content ID//AC1}Km(2) thus accepted isrecorded while keeping a form encrypted with public encryption keyKPm(2) (step S334).

Further, decryption processing portion 1422 performs decryption withprivate decryption key Km(2) unique to memory card 112 so that licenseID, content ID and access restriction information AC1 are accepted (stepS336).

The license ID, content ID and access restriction information AC1 thusaccepted are recorded in license information holding portion 1440 (stepS338).

When the processing in and before steps 338 are normally completed inthe foregoing manner, a request for duplication of the content data isfurther issued via cellular phone 102 in response to the transfer of theencrypted data of license key Kc and the distribution information (stepS340).

The request for duplication of the content data is transmitted to memorycard 110 via cellular phone 100. In response to this, correspondingencrypted content data {Data}Kc and additional information Data-inf areoutput from memory 1415 in memory card 110 onto data bus BS3 (stepS342). These data output onto data bus BS3 are transmitted to memorycard 112 via memory interface 1200, cellular phone 100 and cellularphone 102, and are recorded in memory 1415 in memory card 112 (stepS344).

When recording of encrypted content data {Data}Kc and additionalinformation Data-inf is completed, transfer acceptance is sent viacellular phone 102 (step S346).

When memory card 112 and corresponding cellular phone 102 normallyexecute the reproduction session in response to the above transferacceptance, the user can listen to music via cellular phone 102 based onthe content data recorded in memory card 112.

Cellular phone 100 on the sending side receives the transfer acceptancesent from cellular phone 102 (step S348), and receives an instructionfrom the user via touch key unit 1108 to either erase or hold thecontent data (step S350).

When erasing of the content data is instructed via touch key unit 1108,corresponding encrypted content data {Data}Kc and additional informationData-inf are erased in memory 1415 within memory card 110 (step S354).When holding of the content data is instructed, step S354 is skipped,and the transfer processing ends in this stage (step S356).

After the transfer session was normally performed and transferprocessing ending step S356 is performed, or when processing is skippedafter step S308 or S322 because the transfer session is stopped as aresult of authentication or the like, the processing moves to a nextstep S358.

The reproduction information such as corresponding content ID recordedin license information holding portion 1440 is in the same state as theerasing because access restriction information AC1 was updated in stepS324 to inhibit the reproduction session and the transfer session. Whenthe bank storing the reproduction information in this state receives newreproduction information distributed or transferred thereto for newcontent data, overwriting is allowed. Therefore, similar effects can beachieved by erasing all the data in this bank.

In the state where the encrypted content data is already recorded inmemory 1415, the encrypted content data can be reproduced for listeningto the music only by accessing distribution server 30 and receiving thedistributed reproduction information. The processing of distributingonly the reproduction information is not represented in the flowcharts.However, this processing is substantially the same as the processing inthe distribution session shown in FIGS. 9 and 10 except for that thesteps S152, S154, S156 and S158 relating to the sending and receiving ofthe encrypted content data are not performed, and therefore descriptionthereof is not repeated.

When transfer processing ends in step S356, cellular phone 100 outputsdata [KPp(1)]KPma for authentication to memory card 110 (step S358).

Memory card 110 receives data [KPp(1)]KPma from cellular phone 100, anddecryption processing portion 1408 decrypts it with key KPma so that keyKPp(1) is accepted (step S360).

In memory card 110, controller 1420 authenticates cellular phone 100based on key KPp(1) thus accepted (step S362).

When the transfer ending processing is performed in step S356, cellularphone 100 starts the reproduction initialization session between memorycard 110 and cellular phone 100. Subsequent steps S358, S360, S362, S364and S366 correspond to steps S202, S204, S206, S208 and S210 in FIG. 6,respectively, so that description thereof is not repeated. When cellularphone 100 completes reproduction initialization session, it ends theprocessing (step S390).

When cellular phone 102 sends the transfer acceptance in step S346,cellular phone 102 starts the reproduction initialization sessionbetween memory card 110 and cellular phone 102. Subsequent steps S348,S350, S352, S354 and S356 correspond to steps S202, S204, S206, S208 andS210 in FIG. 6, respectively, so that description thereof is notrepeated. When cellular phone 102 completes reproduction initializationsession, it ends the processing (step S390).

As described above, cellular phone 100 on the sending side and cellularphone 102 on the receiving side in the transfer session operate in sucha manner that the reproduction initialization session is executed forthe reproduction immediately after the completion of sending/receivingof the transferred content data, and thereby the reproductioninitialization session is ended before instruction of reproduction viatouch key unit 1108 of each cellular phone. Thereby, the reproduction ofthe content data and music can be started quickly in response to thereproduction request of the user, while keeping an intended securitylevel.

Further, memory card 110 on the sending side transfers the reproductioninformation including the license key in response to the transferrequest only after confirming the validity of public encryption keyKmc(2), which is sent from memory card 112 on the receiving side.Therefore, transfer to an unauthorized memory card can be inhibited.Further, encryption for sending and receiving the data uses the keydepending on the receiving side. Therefore, an intended security levelin the transfer session is ensured.

[Second Embodiment]

A data distribution system of a second embodiment differs from the datadistribution system of the first embodiment in the following points.Data {{Kc//AC2}Kcom//license ID//content ID//AC1}Km(1) of the encryptedlicense key and others is prepared by encrypting the encrypted licensekey and others with public encryption key Km(1) in the public keycryptosystem using encryption and encryption keys, which areasymmetrical to each other, and is distributed. The data thusdistributed is decrypted with key Km(1), and then is stored in memory1415 after being encrypted again with a symmetric key, i.e., privatesymmetric key K(i) unique to the memory card.

Thus, the data distribution system of the second embodiment differs fromthat of the first embodiment in that memory card 114 is employed insteadof memory card 110 employed in the data distribution system of the firstembodiment and already described with reference to FIG. 5.

FIG. 14 represents characteristics of data, information and others usedfor communication in the data distribution system of the secondembodiment, and corresponds to FIG. 2 representing the first embodiment.However, the characteristics in FIG. 14 differ from those in FIG. 2 onlyin that the symmetric key, i.e., private symmetric key K(i) unique tothe memory card is employed as already described, and thereforedescription thereof is not repeated.

FIG. 15 is a block diagram showing a structure of a memory card 114 ofthe second embodiment, and corresponds to FIG. 5 showing the firstembodiment.

Referring to FIG. 15, memory card 114 differs from memory card 110 ofthe first embodiment shown in FIG. 5 in that memory card 114 includes aK(1) holding portion 1450 for holding private symmetric key K(1) uniqueto the memory card, an encryption processing portion 1452 for encryptingthe data on data bus BS4 with private symmetric key K(1), and adecryption processing portion 1454 for decrypting the data on data busBS4 with private symmetric key K(1).

Structures other than the above are substantially the same as those ofmemory card 110 of the first embodiment. The same portions bear the samereference numbers, and description thereof is not repeated.

FIGS. 16, 17 and 18 are first, second and third flowcharts representingthe distribution operation performed for purchasing contents in the datadistribution system according to the second embodiment, and correspondto FIGS. 8, 9 and 10 representing the first embodiment, respectively.

FIGS. 16-19 represent the operations, in which user 1 uses memory card114 for receiving the content data distributed from distribution server30 via cellular phone 100.

The processing represented in FIGS. 16-18 differs from the distributionprocessing using memory card 110 in the following points. In step S144,memory card 114 accept data {{Kc//AC2}Kcom//license ID//contentID//AC1}Km(1), and decryption processing portion 1422 decrypts{{Kc//AC2}Kcom//license ID//content ID//AC1}Km(1) with privatedecryption key Km(1) in accordance with an instruction from controller1420 so that data {Kc//AC2}Kcom, license ID, content ID and accessrestriction information AC1 are accepted (step S146′). The data{Kc//AC2}Kcom, license ID, content ID and access restriction informationAC1 thus accepted are encrypted by encryption processing portion 1452with private symmetric key K(1) unique to memory card 114, and{{Kc//AC2}Kcom//license ID//content ID//AC1}K(1) is recorded in memory1415 outside the TRM region (step S148′).

According to the above distribution processing, data {Kc//AC2}Kcom,license ID, content ID and access restriction information AC1 aredecrypted with private decryption key Km(1) in step S146, and then areencrypted again with private symmetric key K(1) before recording inmemory 1415 in step S148. These manners are employed for the followingreasons.

According to the public key cryptosystem using asymmetric keys, i.e.,according to a combination of public encryption key KPm(1) and privatedecryption key Km(1), a long time may be required for the decryptionprocessing.

Therefore, the data is encrypted again with private symmetric key K(1),which is unique to the memory card, in the symmetric key cryptosystemallowing fast decryption. Thereby, decryption of license key Kc andreproduction restriction information AC1, which are information requiredfor the reproduction, can be performed rapidly in the processing ofreproducing the content data corresponding to the encrypted contentdata.

Further, the key for data sending is different from the key for storingthe data in the memory card. Such different keys improve the securitylevel.

The public key cryptosystem described above may be specifically a RAScryptosystem (Rivest-Shamir-Adleman cryptosystem), elliptic curvecryptosystem or the like, and the symmetric key cryptosystem may bespecifically a DES (Data Encryption Standard) cryptosystem or the like.

Description has been given on the structure, in which the data encryptedbased on keys KPm(1)/Km(1) in the public key cryptosystem, which usesthe encryption and decryption keys asymmetric to each other, isre-encrypted with private symmetric key K(1) in the symmetric keycryptosystem using the encryption and decryption keys, which areentirely symmetric to each other. However, another structure may beemployed. For example, such a structure may be employed that license ID,content ID and access restriction information AC1, which are held inlicense information holding portion 1440 provided within the TRM regionof memory card 110, are neither re-encrypted nor stored in memory 1415,and data {Kc//AC2}Kcom are recorded in memory 1415 after beingre-encrypted with symmetric private key K(1).

Operations other than the above are substantially the same as thedistribution operations in the first embodiment. The same steps andoperations bear the same reference numbers, and description thereof isnot repeated.

FIG. 19 is a flowchart representing operations of various portions inthe reproduction session using memory card 114 in the second embodiment;

According to memory card 114 in the second embodiment, it is assumedthat the processing for the reproduction initialization session isperformed similarly to memory card 110 in the first embodiment.

The distribution processing using memory card 110 in the secondembodiment differs from the distribution processing using memory card110 in the first embodiment in that processing in a step S222′ shown inFIG. 19 is performed such that encrypted data {{Kc//AC2}Kcom//licenseID//content ID//AC1}K(1) read from memory 1415 onto data bus BS4 isdecrypted by decryption processing portion 1454 with private key K(1)held in a K(1) holding portion 1451.

Operations other than the above are substantially the same as thedistribution operations in the first embodiment. The same steps andoperations bear the same reference numbers, and description thereof isnot repeated.

[Transfer Operation]

FIGS. 20, 21 and 22 are first, second and third flowcharts representingoperations for transfer in the second embodiment, respectively.

The transfer operations of the memory card in the second embodiment arebasically the same as those in the first embodiment.

The operations for transfer between memory cards 114 and 116 in thesecond embodiment are different from the operations for transfer betweenmemory cards 110 and 112 in steps S326′, S334′ and S336′. In step S326′,controller 1420 instructs memory 1415 to output session key Kccorresponding to the contents to be transferred and encrypted data{{Kc//AC2}Kcom//license ID//content ID//AC1}K(1) relating to thereproduction information. Encrypted data {{Kc//AC2}Kcom//licenseID//content ID//AC1}K(1) output from memory 1415 is decrypted bydecryption processing portion 1454 with private symmetric key K(1) toobtain {Kc//AC2}Kcom on data bus BS4.

In step S334′, {{Kc//AC2}Kcom//license ID//content ID//AC1}Km(2)accepted in step S332 is decrypted by decryption processing portion 1422with private decryption key Km(2) unique to memory card 116 so that{Kc//AC2}Kcom, license ID, content ID and access restriction informationAC1 are output onto data bus BS4.

In step S336′, {Kc//AC2}Kcom, license ID, content ID and accessrestriction information AC1 output onto data bus BS4 in step S334′ areencrypted again by encryption processing portion 1452 with privatesymmetric key K(2), and then are recorded in memory 1415 via data busBS4.

Operations other than the above are substantially the same as thetransfer operations in the first embodiment. The same steps andoperations bear the same reference numbers, and description thereof isnot repeated.

Owing to the above structure, the reproduction can be started morequickly, and the security of the content data can be enhanced.

The processing in the first embodiment differs from that in the secondembodiment only in the processing within the memory card, and there isno difference in encryption of the data outside the memory card betweenthe first and second embodiments. The transfer operations can beperformed by employing any combination of those on the sending andreceiving sides in the first and/or second embodiments alreadydescribed.

Accordingly, memory cards 110 and 114 are compatible with each other.

[Third Embodiment]

A data distribution system of the third embodiment differs from that ofthe first embodiment in that the distribution server and the contentreproducing circuit of the cellular phone do not perform the encryptionand decryption processing with secret key Kcom common to the contentreproducing circuit.

The data distribution system of the third embodiment differs from thedata distribution system of the first embodiment already described withreference to FIG. 3 in that a license server 11 is employed instead oflicense server 10 in distribution server 30 provided in the datadistribution system of the first embodiment. Further, the datadistribution system of the third embodiment employs a cellular phone 103instead of cellular phone 100 already described with reference to FIG.4.

FIG. 23 represents characteristics of data, information and others usedfor communication in the data distribution system of the thirdembodiment, and corresponds to FIG. 2 representing the first embodiment.The characteristics in FIG. 23 differ from those in FIG. 2 only in thatsecret key Kcom is not employed, and therefore description thereof isnot repeated.

FIG. 24 is a schematic block diagram showing a structure of a licenseserver 11 in the data distribution system according to the thirdembodiment.

License server 11 differs from license server 10 in that license server11 employs neither Kcom holding portion 322 for secret key Kcom commonto the reproducing circuit nor encryption processing portion 324 forperforming encryption with secret key Kcom. In distribution server 31,license key Kc and reproducing circuit control information AC2 outputfrom distribution control portion 315 are directly transmitted toencryption processing portion 326. Circuit structures and operationsother than the above are substantially the same as those of licenseserver 10 shown in FIG. 3, and therefore, description thereof is notrepeated.

License server 11, authentication server 12 and distribution carrier 20may be collectively referred to as “distribution server 31”.

FIG. 25 is a schematic block diagram showing a structure of cellularphone 103 used in the data distribution system according to the thirdembodiment.

Referring to FIG. 25, cellular phone 103 differs from cellular phone 100in the first embodiment already described with reference to FIG. 4 inthat cellular phone 103 is not provided with Kcom holding portion 1512for holding secret key Kcom common to the reproducing circuit anddecryption processing portion 1514 using secret key Kcom.

Since distribution server 31 does not perform the encryption with secretkey Kcom, license key Kc can be obtained directly by decryptionprocessing portion 1510, which performs decryption with session key Ks4,so that license key Kc is directly applied to decryption processingportion 1510 according to cellular phone 103. Circuit structures andoperations other than the above are substantially the same as those ofcellular phone 100, and therefore, description thereof is not repeated.

The memory card used in the data distribution system according to thethird embodiment has the same structure as memory card 110 shown in FIG.5, and therefore, description thereof is not repeated.

By eliminating the encryption with secret key Kcom common to thereproducing circuit, a difference occurs in operations of each of thedistribution session and reproduction session. This difference will nowbe described with reference to flowcharts.

FIGS. 26, 27 and 28 are first, second and third flowcharts showingdistribution operations in the data distribution system according to thethird embodiment, respectively. With reference to FIGS. 26-28,description will now be given on only differences with respect to thedistribution operations of the data distribution system of the firstembodiment, which are already described with reference to the flowchartsof FIGS. 8 to 10.

Referring to FIGS. 26-28, processing in and before step S132 is the sameas that in the flowchart of FIG. 9 already described.

As already described with reference to FIG. 24, license key Kc andreproducing circuit control information AC2 obtained in step S132 areencrypted with public encryption key KPm(1) unique to memory card 110without being encrypted with secret key Kcom. Therefore, step S134 iseliminated.

Subsequently to step S132, steps 136 a-S148 a are executed instead ofsteps S136-S148, respectively. Steps 136 a-S148 a differ from respectivesteps S136-S148 in that license key Kc and reproducing circuit controlinformation AC2 are handled in the form of Kc//AC2 without encryption,and the form of {Kc//AC2}Kcom handled in steps S136-S148 is not used.The processing for encryption and decryption other than the above issubstantially the same as that already described with reference to FIG.9, and therefore, description thereof is not repeated.

FIG. 29 is a flowchart representing the reproduction operations in thedata distribution system according to the third embodiment. In the thirdembodiment, it is assumed that the reproduction initialization sessionis performed similarly to the first embodiment.

Referring to FIG. 29, the reproduction operations in the datadistribution system according to the third embodiment differs from thereproduction operations in the data distribution system according to thefirst embodiment shown in FIG. 6 in that steps S222 a-S226 a areexecuted instead of steps S222-S226, respectively. Steps S222 a-226 adiffer from respective steps S222-S226 in that license key Kc andreproducing circuit control information AC2 are handled in the form ofKc//AC2, and the form of {Kc//AC2}Kcom handled in steps S222-S226 is notused. The processing for encryption and decryption other than the aboveis substantially the same as that already described with reference toFIG. 10, and therefore, description thereof is not repeated. Sincelicense key Kc and reproducing circuit restriction control AC2 are notencrypted with secret key Kcom, but are encrypted with public encryptionkey Km(1) unique to memory card 110, step S228 is eliminated. Stepsother than the above are substantially the same as those shown in FIG.10, and therefore, description thereof is not repeated.

FIGS. 30, 31 and 32 are first, second and third flowcharts representingthe transfer operation in the third embodiment, respectively.

The operations for transfer between cellular phones 103 and 105 havingsubstantially the same structure are substantially the same as those inthe first embodiment except for that license key Kc and reproducingcircuit restriction information AC2 are not encrypted with secret keyKcom in the third embodiment. Thus, the operations in the thirdembodiment are substantially the same as those in the first embodimentexcept for that steps S326 a-S336 a are employed instead of stepsS326-S336. Therefore, description thereof is not repeated.

Owing to the above structure, the data distribution system, which canachieve effects similar to those of the data distribution systemaccording to the first embodiment, can be achieved although the systemdoes not use secret key Kcom, which is symmetric to the contentreproducing circuit (cellular phone), for performing the encryption inthe license server and the decryption in the cellular phone.

Likewise, the data distribution system in the second embodiment can beconfigured such that the distribution server and the cellular phone donot perform the encryption and decryption using secret key Kcomsymmetric to the reproducing circuit. The reproducing device may be adevice other than a cellular phone, and may be formed of a structure notreceiving the distribution.

Although the present invention has been described and illustrated indetail, it is clearly understood that the same is by way of illustrationand example only and is not to be taken by way of limitation, the spiritand scope of the present invention being limited only by the terms ofthe appended claims.

1. A data reproducing device (100) for decrypting encrypted content datato reproduce content data, comprising: a data storing portion (110) forholding said encrypted content data and a license key for decryptingsaid encrypted content data, outputting said license key in an encryptedform and being removably attached to said data reproducing device; adata reproducing portion for receiving the output of said data storingportion, and reproducing said encrypted content data; and a firstcontrol portion (1106) for controlling transmission of data between saiddata storing portion and said data reproducing portion, wherein saiddata producing portion includes: a first decryption processing portion(1516) for receiving said license key and said encrypted content dataread from said data storing portion, and decrypts said encrypted contentdata with said license key to extract the content data, anauthentication data holding portion (1500) for holding authenticationdata ({KPp(1)}KPma) prepared by encrypting a public key (KPp(1))preapplied to said data reproducing portion into a form decodable with apublic authentication key (KPma) for outputting the encryptedauthentication data to said data storing portion, a private key holdingportion (1502) for holding a private key used for decrypting dataencrypted with said preapplied public key, a second decryptionprocessing portion (1504) for receiving a first session key (Ks3)encrypted with said public key and supplied from said data storingportion, performing decryption with said private key to extract saidfirst session key, and holding the extracted first session key, a firstsession key generating portion (1508) for producing a second session key(Ks4) to be updated upon every access to said data storing portion forobtaining said license key, a first encryption processing portion (1506)for encrypting said second session key with said first session key heldby said second decryption processing portion for output to said datastoring portion, and, a third decryption processing portion (1510) forreceiving said license key (Kc) encrypted with said second session keyand supplied from said data storing portion, performing the decryptionwith said second session key to extract said license key, and supplyingthe extracted license key to said first decryption processing portion;said data storing portion includes; a recording portion (1415) forrecording said encrypted content data and said license key, a fourthdecryption processing portion (1408) for receiving said authenticationdata, and decrypting said authentication data with said publicauthentication key to extract the public key, a second control portion(1420) for performing authentication processing based on results of thedecryption processing by said fourth decryption processing portion todetermine whether said license key is to be output to said datareproducing portion or not, a second session key generating portion(1418) for producing and holding said second session key (Ks4) to beupdated every time said second control portion determines that saidlicense key is to be output to said data reproducing portion, a secondencryption processing portion (1410) for encrypting said second sessionkey with said public key for applying said second session key to saiddata reproducing portion, a fifth decryption processing portion (1412)for decrypting, with said first session key, said second session keyapplied from said data reproducing portion and encrypted with said firstsession key to extract said first session key, and a third encryptionprocessing portion (1406) for encrypting said license key with saidsecond session key for applying said license key to said datareproducing portion; and said first control portion performs the controlto utilize said first session key common to processing of supplying theplurality of license keys to said content reproducing portion from saiddata storing portion corresponding to the plurality of continuousreproduction operations of the encrypted content data, to utilize, ineach of said plurality of license key supply operations, said secondsession key different from those for the other license key supplyoperations, and controls said second decryption processing portion tohold said first session key during a predetermined period common to saidplurality of license key supply operations.
 2. The data reproducingdevice according to claim 1, wherein said data storing portion is amemory card removably attached to said data reproducing device.
 3. Thedata reproducing device according to claim 1, wherein said predeterminedperiod is a period determined within an active period of said datareproducing device and after attachment of said data storing portion tosaid data producing portion.
 4. The data reproducing device according toclaim 1, wherein said predetermined period is a period determined aftersaid reproducing device carrying said data storing portion becomesactive.
 5. The data reproducing device according to claim 1, whereinsaid license key is recorded in said recording portion after beingencrypted into a form decodable with a decryption key (Kcom)predetermined with respect to said data reproducing portion; and saidthird decryption processing portion has a first decryption block (1510)for decrypting, with said second session key, said license key encryptedwith said decryption key and further decrypted with said second sessionkey, and a second decryption block (1512, 1514) for receiving the outputof said first decryption block, and decrypting the received output withsaid decryption key to extract said license key.
 6. A data reproducingdevice (100) for storing encrypted content data and a license key fordecrypting said encrypted content data, forming an encryptioncommunication path for output of said license key, receiving saidencrypted content data and said license key from a data recording deviceoutputting said license key via said encryption communication path, andreproducing said encrypted content data, comprising: a control portion(1106) for controlling transmission of the data between said datarecording device and said data reproducing device; a first decryptionprocessing portion (1506) for receiving said license key and saidencrypted content data read from said data recording device, anddecrypting said encrypted content data with said license key to extractthe content data; an authentication data holding portion (1500) forholding authentication data ({KPp(1)}KPma) prepared by encrypting apublic key (KPp(1)) preapplied to said data reproducing portion into aform decodable with a public authentication key (KPma) for outputtingthe encrypted authentication data to said data recording device; aprivate key holding portion (1502) for holding a private key (Kp) usedfor decrypting data encrypted with said preapplied public key; a seconddecryption processing portion (1504) for receiving a first session key(Ks3) updated upon every input of said authentication data, encryptedwith said public key and supplied from said data recording device,performing decryption with said private key to extract said firstsession key, and holding the extracted first session key; a firstsession key generating portion (1508) for producing a second session key(Ks4) to be updated upon every access to said data storing portion forobtaining said license key; a first encryption processing portion (1506)for encrypting said second session key with said first session key heldby said second decryption processing portion for output to said datarecording device; and a third decryption processing portion (1510) forreceiving said license key (Kc) encrypted with said second session keyand supplied from said data storing portion, performing the decryptionwith said second session key to extract said license key, and supplyingthe extracted license key to said first decryption processing portion,wherein said control portion performs the control to utilize said firstsession key common to processing of supplying the plurality of licensekeys to said content reproducing portion from said data storing portioncorresponding to the plurality of continuous reproduction operations ofthe encrypted content data, to utilize, in each of said plurality oflicense key supply operations, said second session key different fromthose for the other license key supply operations, and controls saidsecond decryption processing portion to hold said first session keyduring a predetermined period common to said plurality of license keysupply operations.
 7. The data reproducing device according to claim 6,wherein said license key is recorded in said data recording device afterbeing encrypted into a form decodable with a decryption key (Kcom)predetermined with respect to said data reproducing device; and saidthird decryption processing portion has a first decryption block (1510)for decrypting, with said second session key, said license key encryptedwith said decryption key and further decrypted with said second sessionkey, and a second decryption block (1512, 1514) for receiving the outputof said first decryption block, and decrypting the received output withsaid decryption key to extract said license key.
 8. The data reproducingdevice according to claim 6, wherein said predetermined period is aperiod determined within an active period of said data reproducingdevice and after attachment of said data storing portion to said dataproducing portion.
 9. The data reproducing device according to claim 6,wherein said predetermined period is a period determined after saidreproducing device carrying said data storing portion becomes active.